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Abstract 

A planetary rover will be traversing largely unknown and 
often unknowable terrain. In addition to geometric obsta- 
cles such as cliffs, rocks, and holes, it may also have to 
deal with non-gcomctric hazards such as soft soil and sur- 
face breakthroughs which often cannot be detected until 
rover is in imminent danger. Therefore, the rover must 
monitor its progress throughout a traverse, making sure to 
stay on course and to detect and act on any previously un- 
seen hazards. Its onboard planning system must decide 
what sensors to monitor, what landmarks to take position 
readings from, and what actions to take if something 
should go wrong. This paper describes the planning sys- 
tems being developed for the Pathfinder Planetary Rover 
to perform these execution monitoring tasks. This system 
includes a network of planners to perform path planning, 
expectation generation, path analysis, sensor and reaction 
selection, and resource allocation. 


1, Introduction 

Efforts arc currently underway to develop an autonomous 
mobile robot for the unmanned exploration of planetary 
surfaces. Such a robot must be able to plan its actions 
based on sensor data which is inexact and incomplete. 
Furthermore, there are non-geometric hazards such as 
dust pits and unstable slopes which cannot be detected re- 
liably with remote sensors. Therefore the robot must pos- 
sess a robust execution monitoring system which will 
allow it to detect and recover from unexpected occurrenc- 
es in real lime during path execution. The execution 
monitoring system described in this paper consists of an 
integrated architecture that includes a number of different 
planning systems working together. 

There arc several issues which must be addressed when 
designing an execution monitoring system. First, the 
computational resources available at run time may not be 


sufficient to constantly monitor all of the vehicle sensors 
at once. Therefore the system must choose judiciously 
which sensors to monitor and with what duty cycle to 
monitor them. The system also must schedule the opera- 
tion of sensors such as cameras or rangefinders which 
may require significant amounts of time for aiming and 
data processing. Ideally, when an unexpected sensor 
reading is encountered, the system should be able to diag- 
nose the source of the problem and take appropriate cor- 
rective action. This must occur in real time as sensor vio- 
lations could indicate that the vehicle is in imminent dan- 
ger, The rover must not compute for an hour to decide to 
back out of a dust pit into which it is sinking. Finally, the 
use of shared resources during execution monitoring must 
be coordinated with the other subsystems that use those 
resources (i e.g cameras might be used by the science sub- 
system as well as for navigation). 

This paper describes an execution monitoring system cur- 
rently under development which addresses many of these 
issues. The system is integrated into an autonomous path- 
planning and execution system which controls a six- 
wheeled vehicle traversing rough outdoor terrain. Section 
2 gives an overview of the entire vehicle control system. 
Section 3 describes the execution monitoring runtime sys- 
tem which monitors the vehicle during a path traverse. 
Section 4 describes the execution monitoring planner 
which produces the execution monitoring profiles that 
control the runtime system. Section 5 presents an exam- 
ple. Section 6 summarizes, 

2. System Overview 

In the semiautonomous navigation (SAN) approach which 
we are investigating, local paths (five to ten meters in 
length) arc planned autonomously using local sensor data 
obtained by the vehicle. This local path planning is 
guided by a global route which is planned off-line using a 
low-resolution topographic map. The global route lakes 
the form of a potential field defined over a region between 
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the rover’s starting location and goal [Payton88, 
Arkin89], After the local path is generated, it is simulated 
to generate sensor expectations and appropriate reflexes 
arc set up for execution when a sensor expectation is vio- 
lated. Finally, the path plan, including expectations and 
reflexes is made available for execution. The various 
steps in this process arc coordinated by a system execu- 
tive. A block diagram of the overall system is shown in 
figure 1. 

The system operates in cycles. At the beginning of a 
cycle, the system executive instructs the vehicle’s sens- 
ing and perception system to construct a model of the ter- 
rain surrounding the vehicle. This model is based on in- 
formation from stereo cameras, laser rangefinders, and a 
low-resolution database provided by an orbiting space- 
craft. The final local model includes height, slope and 
roughness information at varying resolutions, and is in a 
form that is independent of the particular physical sensors 
used to collect the data [Gcnnery77, Gennery80, 
Wilcox87]. 

The local terrain model is passed to the path planning sub- 
system along with a goal location from the system execu- 
tive. The path planner constructs a local path between 
five and ten meters in length [Mil!er 87 , Slack87]. This 
path is passed to a vehicle simulator which performs a de- 
tailed kinematic simulation of the vehicle traversing the 
planned path. This simulation serves two functions. 
First, the resulting information can be used by the planner 
to perform local optimization of the path. This is done by 
making small changes to the original path and sending it 
to the simulator again to determine if a more efficient path 
results [Thorpe84]. Energy to power the rover’s motors 
and computers is a scarce resource so the local optimiza- 
tion continues as long as the energy saved by optimizing 
the path is more than the energy required to compute the 
optimizations [Milicr89]. 

The simulator’s second function is to produce expected 
values for all of the physical sensors on the vehicle as it 
traverses the path. These expected values are used by the 
execution monitoring planner to construct execution mon- 
itoring profiles. These profiles tell the run-time execution 
monitoring system which sensors to monitor and when to 
monitor them. 

The execution monitoring planner also contains a predic- 
tive monitoring system which attempts to identify specific 
problems which may arise during path execution. When 
it identifies a potential problem, it inserts a set of monitor- 
ing parameters and recovery procedures to detect and deal 
with the problem should it arise. For example, large areas 
devoid of rocks may be dust pits. If the rover is about to 
traverse such an area, the predictive monitor may insert 
specialized sensor operations into the plan to look for 
deep dust in that area of the traverse [Linden87, 
Doylc89]. 



Figure 1: The Execution Monitoring System 


The planned path, execution monitoring parameters, and 
recovery procedures are integrated by the execution moni- 
toring planner into a locally consistent plan using a simple 
resource scheduler and the result is passed back to the 
system executive. The system executive checks that this 
plan conforms to any global constraints that the rover has, 
such as power limits, shared resource constraints or tem- 
poral deadlines. If the plan is acceptable, the system ex- 
ecutive passes that plan to the vehicle control system to 
actually move the vehicle along the planned path. During 
the traverse, if a sensor reading falls outside of its profile 
(Le. t an expectation is violated), the vehicle immediately 
aborts execution of the remainder of the path and executes 
the recovery procedure associated with that violation (if 
any). 

The system executive then begins a new cycle with the 
construction of a fresh local terrain model. This may be 
done during the traverse of a previous path in order to 
allow interleaved operation of the various subsystems and 
continuous movement of the vehicle. 

3 The Execution Monitoring Runtime System 

Vehicle sensors come in three varieties. First, there arc 
physical sensors which do not require resource schedul- 
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ing, such as wheel encoders and inclinometers. Their val- 
ues are available continuously to any subsystem which 
needs them. Second, there are physical sensors which re- 
quire resource scheduling such as cameras which must be 
aimed in the right direction at the right time and which re- 
quire significant processing before useful information is 
available from them. Finally, there are virtual sensors 
whicharc mathematical functions defined over the values 
of the physical sensors. For example, there are virtual 
sensors for the vehicle’s absolute spatial location in 
Cartesian coordinates. These values do not correspond to 
any physical sensor, but arc computed using the values of 
many different sensors. A virtual sensor may require re- 
source scheduling. 

From the point of view of the execution monitoring runt- 
ime system, no distinction is made between a physical 
sensor and a virtual sensor. Complex interactions among 
physical sensors are monitored by setting bounds on a sin- 
gle, specially coded virtual sensor function. Virtual sen- 
sors allow the runtime system to be simple and efficient 
which is essential to achieve real-time performance. 

The behavior of the runtime system is defined by a set of 
execution monitoring profiles computed by the execution 
monitoring planner. An execution monitoring profile de- 
fines an envelope of acceptable values for one sensor, 
called the dependent sensor, as a function of another, the 
independent sensor. The envelope is defined by a set of 
ranges and associated minimum and maximum values for 
the dependent sensor. The minimum and maximum val- 
ues specify the limits on the dependent sensor whenever 
the value of the independent sensor falls in the associated 
range. 

Assigned to each minimum and maximum value is a re- 
flex action to be performed if the value of the dependent 
sensor should violate one of its limits. The reflex action 
is simply an index into a table of precomputed reflex ac- 
tions which can be augmented by the execution monitor- 
ing planner. Thus, at runtime, the invocation of a reflex 
action once a sensor violation is detected can be virtually 
instantaneous. 

By far the most common reflex action is simply to slop 
the vehicle. However, there are times when this is not ap- 
propriate. For example, if the front wheels suddenly start 
spinning free, and the suspension encoders indicate that 
those wheels have suddenly dropped, then the front of the 
rover has probably broken through the surface. If this was 
not expected, the rover should immediately slop and 
backup to avoid gelling completely mired. 

The runtime system can also be used to accurately posi- 
tion the vehicle relative to certain physical landmarks. 
Suppose the rover needs to position itself one meter from 
a certain rock in order to collect a sample. This can be ac- 
complished by aiming the rover’s rangefinder at the rock 
and setting up a reflex action to stop the vehicle when the 


range is one meter. Positioning accuracy can often be sig- 
nificantly improved over simple dead reckoning using 
such techniques. 

4 The Execution Monitoring Planner 

The execution monitoring planner uses the local terrain 
model and information generated by the traverse simula- 
tor to produce a set of execution monitoring profiles. 
These profiles define acceptable ranges for the values of 
vehicle sensors during the traverse. Whenever the value 
of a vehicle sensor goes out of the bounds specified by an 
execution monitoring profile the vehicle immediately exe- 
cutes the reflex action associated with that profile. 

The traverse simulator uses the local terrain data, and its 
uncertainty, to produce expected value ranges for all of 
the vehicle’s physical non-schedulcd sensors at points 
every few centimeters along the path. These values arc 
analyzed by the execution monitoring planner in order to 
construct a first set of execution monitoring parameters. 
The planner selects segments of the path where the ex- 
pected sensor values are more or less constant and sets the 
limits on that sensor to a value close to the expected devi- 
ations predicted by the simulator. The planner attempts to 
achieve maximum sensor coverage with a minimum of 
execution monitoring parameters since the performance of 
the runtime system becomes impaired as the number of 
parameters grows large. 

This initial set of parameters is almost certain to detect a 
deviation from expected behavior should one occur. 
However, at runtime, it is very difficult to quickly deter- 
mine the cause of a problem and decide on an appropriate 
reflex action using raw physical sensor data alone. Thus, 
the execution monitoring planner includes a second level 
of processing to examine the local terrain model and at- 
tempt to predict potential problems in the plan. This pre- 
dictive monitoring system uses a rule-based model of the 
domain physics which includes information about the 
likely locations of dust bowls, loose gravel, and other 
non-geometric hazards. Once the system has identified a 
potential problem, it finds (or constructs) a virtual sensor, 
or a set of virtual sensors, to delect that problem specifi- 
cally and assigns reflexes to handle the problem should it 
occur. 

The predictive monitor also examines the local terrain 
model for geometric features that it can use as landmarks 
if special positioning accuracy is required during a tra- 
verse. When such landmarks are used, the system gener- 
ates an execution monitoring profile to check the land- 
mark at strategic points in the traverse, taking into ac- 
count such things as visibility of the landmark and possi- 
bility of confusion with similar nearby landmarks 
[Chatila85]. 

All of the execution monitoring parameters generated by 
these mechanisms are passed to a simple resource sched- 
uler which removes temporal conflicts among shared re- 
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sources. For example, if many landmarks are to be moni- 
tored the traverse plan may have to include delays to 
allow sensors to be pointed, or there might be more subtle 
conflicts involving power usage, setup or computation 
time. In addition, the resource scheduler takes into ac- 
count some constraints which it may be given by the sys- 
tem executive ( e.g power or time limitations) [Miller86]. 

Finally, the path description, annotated with the sclf-con- 
sislcnt execution monitoring profiles, is passed back to 
the system executive, which then passes it on to the vehi- 
cle control subsystem for execution. 

5 Example 

As an example of the operation of the execution monitor- 
ing system, consider the situation depicted in figure 2. 
The rover path planning subsystem has planned a 10 
meter long path that goes between a large rock outcrop- 
ping to the left of the vehicle and a group of four boulders 
to the right. The traverse route is mostly flat, with a large 
open area around the second half of the path. This is 
passed to the vehicle simulator which generates expected 
values for the vehicle sensors along the path. 

For simplicity wc consider only five vehicle sensors in 
this example, an odometer, an inclinometer, a compass, an 
elapsed-time clock, and a pointable range finder. From 
the expected values generated by the simulator, the fol- 
lowing execution monitoring parameters could be de- 
rived: 

Dependent Independent 


Sensor 

Sensor 

Range. 

Min 

Mas. 

Inclinometer 

Odometer 

0m 

-10° 

10° 

Compass 

Odometer 

0m 

-45° 

10° 

Compass 

Odometer 

2 m 

-50° 

-40° 

Compass 

Odometer 

4 m 

•50° 

10° 

Compass 

Odometer 

6 m 

O 

o 

cs 

1 

20° 

Odometer 

Clock 

30 sec 

9 m 

11 m 


The first parameter checks the vehicle tilt along the entire 
path. Since the entire traverse area is fairly fiat, all of the 
inclinometer monitoring is accomplished by a single pa- 
rameter. 

Monitoring the vehicle heading is somewhat more com- 
plex. The path is segmented into four pieces. Between 0 
and 2 meters the vehicle is turning towards the southeast 
and so the acceptable range for the heading is quite large. 
Between 2 and 4 meters the rover travels in more or less a 
straight line, and so the acceptable range is narrower. 
There is another transition segment between 4 and 6 
meters, and another straight segment between 6 and 10 



Figure 2: A 10 meter path. 


meters. 

The final execution monitoring parameter states that the 
path must be nearing completion before 30 seconds have 
elapsed. On the actual vehicle there would be wheel slip 
sensors which could detect lack of progress long before 
the end of the path. 

These parameters represent the simplest son of analysis 
that can be performed on the simulation data: the sensor 
values are simply analyzed for segments where the values 
all fall within a certain range. This sort of analysis works 
well when sensor values are constants, but often creates 
transition regions where sensor values are not closely 
monitored, such as the path segments where the vehicle 
heading is changing. In these cases, the execution moni- 
toring planner could construct a virtual sensor which com- 
pared, say, the vehicle heading to the odometer reading 
(normalized to the start of the transition region) and set up 
an execution monitoring parameter which monitored the 
ratio of these two values. Similar correlations can allow 
nearly every sort of sensor value transition to be moni- 
tored as closely as necessary. 

Finally, the predictive monitor could insert a number of 
execution monitoring parameters in this situation. It 
might, for example, schedule a range reading off the rock 
outcropping on the left of the vehicle just before the vehi- 
cle entered the area between the rocks. This would ensure 
that the vehicle was not in danger of colliding with a rock 
as a result of dead reckoning errors. The system might 
also notice that the large open area towards the end of the 
path could be a dust bowl, and insert more checks on ve- 
hicle articulation. The operation of the predictive monitor 
is highly heuristic and is based strongly on domain-depen- 
dent issues which will be the subject of future research. 
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6 Summary 

An autonomous planelary rover needs a robust execution 
monitoring system to detect and recover from unexpected 
occurrences in real time. A system which addresses these 
goals is currently under development and the Jet 
Propulsion Laboratory. 

The system has two major components, an execution 
monitoring planner and a runtime system. The runtime 
system is very simple, which allows it to respond to situa- 
tions in real time. All of the complex computations are 
done by the execution monitoring planner before execu- 
tion begins. 

The execution monitoring planner produces execution 
monitoring profiles which describe acceptable limits on 
the values of the vehicle’s sensors at various stages during 
the traverse. Vehicle sensors may be actual physical sen- 
sors, or they may be virtual sensors which are simply 
mathematical functions defined over the values of the 
physical sensors. This allows complex aspects of the 
vehicle’s performance to be monitored efficiently. 

The execution monitoring planner derives profiles from 
two sources. The first is a vehicle traverse simulator 
which computes the expected values and variances for all 
of the vehicle’s physical sensors at a series of points 
throughout the traverse. The second is a predictive moni- 
toring system which anticipates potential problems and 
inserts explicit checks and recovery procedures for those 
problems. 

All of the execution monitoring parameters are passed 
through a task scheduler to remove conflicts among 
shared resources. The final, self-consistent traverse plan 
is sent to the rover’s system executive which fits the plan 
into the vehicle’s global plan. If the plan is acceptable, it 
is sent to the vehicle control subsystem for execution. 

During execution the runtime system checks the values of 
the vehicle sensors against the limits imposed by the exe- 
cution monitoring profiles. If these limits are violated, 
the remainder of the path traverse is aborted and a reflex 
action associated with the violated profile is executed. 
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